Systems and Methods for Automated Memory and Thread Execution Anomaly Detection in a Computer Network
First Claim
1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
- receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer;
generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and
comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
6 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for detecting an anomaly in a computer that is part of a population of networked computers. Snapshots are received from a plurality of computers within the population of computers, where individual snapshots include a state of assets and runtime processes of a respective computer. An asset normalization model is generated from the snapshots and serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer. A snapshot from at least one of the computers is compared to the asset normalization model in order to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.
-
Citations
35 Claims
-
1. A method for detecting an anomaly in a computer that is part of a population of networked computers, the method comprising:
-
receiving snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generating an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and comparing a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting an anomaly in a computer that is part of a population of networked computers, comprising:
-
a network interface configured to receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; and a processor configured to; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of at least one of the computers. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. One or more computer readable storage media storing instructions for detecting an anomaly in a computer that is part of a population of networked computers, the instructions, when executed by a processor, cause the processor to:
-
receive snapshots from a plurality of computers within the population of computers, wherein individual snapshots include a state of assets and runtime processes of a respective computer; generate an asset normalization model from the snapshots that serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer; and compare a snapshot from at least one of the computers to the asset normalization model to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification